Bugtraq mailing list archives
Re: Update: Extending the FTP "ALG" vulnerability to any FTP client
From: avalon () COOMBS ANU EDU AU (Darren Reed)
Date: Wed, 15 Mar 2000 15:27:36 +1100
In some mail from Mikael Olsson, sie said:
* RealAudio/Video (secondary UDP channel)
This can't be exploited in even close to the same way, if the proxy is properly implemented. You might be able to write a java class to exploit this from a web server which was waiting more easily than playing funny games with URL's in HTML pages...if the web server is evil, having java enabled is a big risk.
Workarounds to this specific vulnerability
--------------------------------------------
* Disable active FTP. Errrr, wait. The fix for the server side
vulnerability was to disable passive FTP. Let's rephrase that:
Which specific vulnerability was this ? And was it a vulnerability or a DoS problem ? oh, FWIW, some people do run ftp servers on non-port 20/21 with the ftp-data port still one less than the real ftp port. Darren
Current thread:
- Update: Extending the FTP "ALG" vulnerability to any FTP client Mikael Olsson (Mar 14)
- Re: Update: Extending the FTP "ALG" vulnerability to any FTP client Darren Reed (Mar 14)
- Re: Update: Extending the FTP "ALG" vulnerability to any FTP client Mikael Olsson (Mar 15)
- Re: Update: Extending the FTP "ALG" vulnerability to any FTP client Darren Reed (Mar 15)
- Re: Update: Extending the FTP "ALG" vulnerability to any FTP client Mikael Olsson (Mar 15)
- Re: Update: Extending the FTP "ALG" vulnerability to any FTP client Darren Reed (Mar 14)